Attack Chain

1. An attacker crafts a malicious input string containing a quoted string that ends with a trailing backslash (e.g., "\ or '\).
2. The attacker provides this malicious input string to an application that uses the dasel library.
3. The application passes the input string to the lexer.NewTokenizer function to create a new tokenizer.
4. The Tokenize method is called on the tokenizer to lex the input string.
5. The parseCurRune function is called to parse the current rune.
6. Inside parseCurRune, the code detects the backslash character but does not check if it’s the last character in the input.
7. The pos++ increments the position beyond the end of the input.
8. The subsequent p.src[pos] attempts to read past the end of the input slice, triggering a Go runtime panic and crashing the dasel process.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition. Any application using dasel that processes attacker-controlled selector strings is susceptible to crashing. This can impact web applications using dasel for dynamic querying, applications that construct selectors from user input, and shared tooling environments where selectors are passed as parameters. The severity is high because a minimal input can cause an immediate process crash.

Recommendation

• Upgrade to a patched version of dasel that includes the fix for CVE-2026-46377 once available.
• Implement input validation and sanitization on selector strings to prevent malicious inputs containing trailing backslashes in quoted strings, mitigating the risk even without a patch.
• Monitor application logs for panic errors originating from the dasel/selector/lexer package to detect potential exploitation attempts.
• Deploy the Sigma rule Detect Dasel Trailing Backslash Panic (CVE-2026-46377) to identify processes that may be crashing due to this vulnerability by detecting the “index out of range” error message.